Tuesday, March 10, 2009

Using OWA logs to make your civil case

Hello Readers,

I will not be talking about OWA every time.

 In our prior time together we discussed parsing OWA logs to determine who has been accessing someone else's account. For criminal prosecution (unauthorized access) or internal investigations this might be enough, but for investigations involving the civil court system you need to show that the information accessed and the time they accessed it corresponds to some claim such as tortuous interference.

The same OWA logs we looked at last time will allow you to do this, with some caveats. When you see a single entry to access an item such as:

" /exchange/USA/Attach/read.asp?obj=000000007C6A5AC4439BD948B2EDEC2B4701083907007DC649E6901ED711982E0002B3A2389C000000C0411400007DC649E6901ED711982E0002B3A2389C0000013340B20000&att=ATT-0-C9D9D5C63632DD439C1AF3C6A4B4AF8A-TOD9D1%7E1.PPT"

This is a request to open up an email attachment, the obj show here in the query is a unique identifier for the item within the exchange database. This means that if you replay that url while, and this is important, logged in as that user you will be able to bring up the exact same message that was viewed at that time (If it was not deleted). If you attempt to access this object while logged in as any other user it will deny you, even if you login as the administrator. If you want to make sure the messages exist (meaning not deleted) restore the exchange server from a backup tape referring to the time period the message we viewed and replay it to the restored server.


These are the following asp pages that can be called by an OWA user according to about two years worth of logs from one case I worked:











































Of these we care about the following:

This is a user logging in - /exchange/USA/LogonFrm.asp

This is a user requesting to read a specific message - /exchange/USA/forms/IPM/NOTE/read.asp

This is a user opening an attachment - /exchange/USA/Attach/read.asp

This is a user composing a new message - /exchange/USA/forms/IPM/NOTE/cmpMsg.asp

This is a user reading a message request - /exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/mrread.asp


If you parsed our just these commands identified by the logged in user you could see what specific emails, meetings, and attachments a webmail user had viewed, created, sent using OWA and the time on which they did. Using these times and matching the ip address to the suspect you can then combine the information accessed, to the time it was accessed, to the benefit they received by having that information at that time.


As an example, in the case Exel Transporation Services Inc v. Total Transportation Services LLC et al (3:06-cv-00593) I used this to uncover a large industrial espionage case. First I used the program in the prior post to find which accounts were being used to access other email accounts in the system. Then I looked up the IP Addresses and found out one of them was actually registered to one of the ex-executives of exel directly on ARIN. We then broke out just the accesses used by those accounts (I mean really why else would the blackberry server administrative account or the voicemail server be logging into a website .. something we had to explain to counsel) into a database divided up by type of item accessed (email, attachment, calendar).


The next part was more difficult, we had to replicate their exchange network, AD controller, etc.. to restore their exchange server backups and replay those months to find out what our suspects were viewing. This included almost every decision maker within exel and according to the filings I read about $120 million dollars in lost business as they were able to read the contracts sent to customers during a bidding process and always beat them. We fed the urls into a GUI automation tool that would interact with the web browser and save the emails and attachments into MHT (full website archive) files for the lawyers review. I couldn't within the time frame get a pure perl program to work the way I needed it to.


For more information read this news article:



The case was settled out of court with a public apology written by TTS. The final stone in my understanding that led to settlement was when we matched the TTS OWA logs to the Exel OWA logs and showed the suspects logged into the TTS server with their real user name, with the same ip and at the same date/time, as they were logged into the Exel OWA server with their administrative accounts.


I hope this was useful, I can post parsers I wrote if you think it would help you in the future.